Meet the 29-year-old South African unravelling the multi-billion-rand Africrypt theft

Written by Ciaran Ryan. Posted in Journalism

Hamilton Cheong, who grew up in the Magaliesberg, is helping law enforcement authorities in several jurisdictions uncover where the money went. From Moneyweb.

Cheong’s company helps governments and organisations secure their digital assets against threats coming from ransomware and organised crime. Image: Supplied
Cheong’s company helps governments and organisations secure their digital assets against threats coming from ransomware and organised crime. Image: Supplied

There are several aspects to the Africrypt ‘hack’ – reckoned to have lost R43 billion – that have caught the attention of law enforcement authorities across the globe.

The first is the size of the reported theft at $2.9 billion or about R43 billion. It’s a figure so eye-poppingly huge that many have questioned whether this volume of money could have come out of SA.

The other aspect of the theft that has law enforcement on high alert is whether this was the result of a hack – as claimed by Raees and Ameer Cajee, the two brothers behind Africrypt – or whether it was an inside job. The Cajees fled South Africa, apparently in fear of their lives after receiving death threats immediately after the alleged hack.

Read:Trail of brothers linked to missing bitcoin stash is still murky

Africrypt’s Raees Cajee comes out of hiding in Tanzania to oppose liquidation

The man who has a better understanding than most of what happened is Hamilton Cheong, a South African-born forensic sleuth now based in the US, who has spent the last few weeks assisting law enforcement agencies around the world to unpack what happened with the Africrypt billions.

Blockchain track-and-trace

Cheong’s company, Crypto Investigation Bureau (CIB), helps governments and organisations secure their digital assets against modern-day threats coming from ransomware and organised crime.

It has developed a blockchain track-and-trace programme called God’s View to hunt down missing digital assets, and it was this programme that was used to piece together the movement of funds into and out of Africrypt wallets.

The blockchain is a detailed and immutable ledger of all bitcoin transactions, and is open to public scrutiny. The problem is linking bitcoin addresses with real-world people and organisations, though that is becoming easier through the use of software tools like God’s View, which made it possible to track every bitcoin moving into and out of Africrypt-controlled wallets.

‘Hack’ story

Cheong says the evidence does not support the story of a hack originating out of Ukraine, as claimed by Raees Cajee in an affidavit before the Gauteng High Court seeking to stop the final liquidation of Africrypt.

Under Cajee’s version of events, on April 13 hackers from Ukraine smashed through several layers of security to make off with more than R50 billion in crypto assets.

“We don’t think this is possible,” says Cheong, a certified crypto and blockchain investigator.

“If this is true, the hackers would have broken through several security layers in a matter of minutes to get to the crypto, and that is extremely unlikely. We don’t think this was a hack. One reason we say this is that four months before the alleged hack, funds were being depleted out of wallets under the control of Africrypt.”

Millions or billions lost?

Raees Cajee claims in his affidavit that the extent of funds under Africrypt control was closer to $6 million (R88.5 million) than the R54 billion claimed by attorney Darren Hanekom of Hanekom Attorneys, who is representing several Africrypt clients.

Even that low figure of $6 million is disputed, as claims totalling around R200 million in SA have mounted against Africrypt.

Cheong says Hanekom’s claim of R43 billion is closer to the truth, and hints that the actual figure could be higher – much higher – once all the wallets used by Africrypt are totalled together.

By painstakingly piecing together the web of transactions into and out of wallets used by Africrypt, Cheong hints that some of these wallets are used by operators known for ransomware attacks on business and by ‘dark web’ operatives.

“I don’t buy the hack story, and I think the Cajees were in over their heads and perhaps got mixed up with some really bad people,” says Cheong.

A better picture of what occurred awaits the release of a full forensic report by Cheong’s team.

Disturbing tie-ins

Astonishingly, he says there are some disturbing tie-ins between Africrypt and Mirror Trading International (MTI), the crypto scam headed by CEO Johann Steynberg that roped in more than 23 000 bitcoin from hundreds of thousands of investors around the world.

MTI is currently in provisional liquidation, and Steynberg remains at large, having gone awol in December 2020 when MTI members’ requests for withdrawals went unanswered.

Some of the same ‘tumblers’ used by Africrypt were also used by MTI, says Cheong.

Tumblers are used by money launderers to hide the origin of funds by effectively creating an omelette out of several bitcoin eggs. Bitcoin from several sources are mixed and broken up in these tumblers and then shipped out, usually in small quantities, to cover the tracks of the money launderers.

Cheong dedicated hundreds of hours of his own and his team’s time to unravelling the Africrypt web because he had the resources and tools to do it. He also has a deep sense of patriotism.

Africa is home, he says, but SA is earning a reputation internationally as a haven for dodgy crypto ventures.

MTI was rated by Chainalysis as the world’s biggest crypto scam of 2020, but it pales alongside what appears to have been stolen out of Africrypt-linked wallets.

Read: MTI was by far 2020’s biggest investment scam – Chainalysis

Says Cheong: “We must assume the Cajee brothers are innocent until proven guilty.

“My question to them is why have they not commissioned an incident report by professionals to clear [their] names, instead of running?

“If they are willing to provide CIB with their full app and source code, we would love to help,” he adds.

A long way from home

Cheong says he grew up in a troubled family and ended up homeless in SA for extended periods. He was passed between different households but while working at a scrapyard discovered a talent for fixing broken computers.

Forced out of necessity into entrepreneurship, he sold reconfigured computers at flea markets over weekends, and left for Israel in 2014 where he gained hands-on experience in some of the biggest tech businesses in the world.

That experience also drew him into coding and financial markets. In 2016, he created an electronic wallet for the secure storage of digital assets, and that brought him to the attention of Canadian investors who helped fund the early-stage launch of the product, called Just Wallet.

“We’re trying to replace Swift as the global system for payments,” says Cheong.

Ironically, he believes cryptos are a scam, in large measure because the boast of decentralised control is already subverted by the centralisation of control of parts of the crypto value chain in certain hands.

“We have ransomware attacks occurring on a daily basis and no one has really come up with a firewall against that.

“This is what we decided to do. You’ve got huge volumes of wealth being transmitted electronically and far too many weak points in the chain.”

When the Africrypt story is finally told, Cheong’s name will feature strongly in the credits.

Moneyweb reached out to Raees Cajee by phone without success.

Read: Lightning strikes twice for Africrypt’s Cajee brothers

Ciaran Ryan

The Writer's Room is a curated by Ciaran Ryan, who has written on South African affairs for Sunday Times, Mail & Guardian, Financial Mail, Finweek, Noseweek, The Daily Telegraph, Forbes, USA Today, Acts Online and Lewrockwell.com, among others. In between he manages a gold mining operation in Ghana, and previously worked in Congo. Most of his time is spent in the lovely city of Joburg.